Rotate kubeconfig before it expires

controlplane/internal/controllers/rke2controlplane_controller.go

@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"sigs.k8s.io/cluster-api/util/certs"
 	"strings"
 	"time"
 
@@ -55,6 +56,7 @@ import (
 	"github.com/rancher/cluster-api-provider-rke2/pkg/registration"
 	"github.com/rancher/cluster-api-provider-rke2/pkg/rke2"
 	"github.com/rancher/cluster-api-provider-rke2/pkg/secret"
+	capikubeconfig "sigs.k8s.io/cluster-api/util/kubeconfig"
 )
 
 const (
@@ -812,6 +814,19 @@ func (r *RKE2ControlPlaneReconciler) reconcileKubeconfig(
 		return ctrl.Result{}, nil
 	}
 
+	needsRotation, err := capikubeconfig.NeedsClientCertRotation(configSecret, certs.ClientCertificateRenewalDuration)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	if needsRotation {
+		logger.Info("Rotating kubeconfig secret")
+		err = kubeconfig.CreateSecretWithOwner(ctx, r.Client, clusterName, endpoint.String(), controllerOwnerRef)
+		if err != nil {
+			return ctrl.Result{}, errors.Wrap(err, "failed to regenerate kubeconfig")
+		}
+	}
+
 	return ctrl.Result{}, nil
 }